What you don't know will hurt you: designing with and for existing content
Cloud Computing: What You Don't Know Can Hurt You
-
Upload
patrick-fowler -
Category
Technology
-
view
84 -
download
0
description
Transcript of Cloud Computing: What You Don't Know Can Hurt You
Patrick X. Fowler, Esq. Snell & Wilmer LLP Phoenix, Arizona
602.382.6213 | [email protected]
Cloud Computing: What You Don’t Know Can
Hurt You
© 2012 Snell & Wilmer L.L.P 1
Today’s Topics
• What is cloud computing? • Common cloud computing applications • How does it work? • Cloud computing concerns
◦ Data Ownership and Access ◦ Data Location and Security ◦ Data Privacy in the US and EU
© 2012 Snell & Wilmer L.L.P 2
What is Cloud Computing?
• Using the internet…
• to access remotely-located computer servers…
• for scalable, on-demand software applications, computing power and data storage…
• that you might pay a fee for, but don’t own.
© 2012 Snell & Wilmer L.L.P 3
Common Cloud Applications
• Webmail – Gmail, Hotmail, AOL • Productivity – Microsoft Office 365, GoogleDocs • Data Sharing – Dropbox, GoToMeeting • Data Storage – iCloud, Amazon, Carbonite • Social Media – Facebook, LinkedIn, YouTube • Retailing – Amazon, Apple, eBay • Banking – Chase, Bank of America • Government – www.apps.gov
© 2012 Snell & Wilmer L.L.P 4
Most Common Use of the Cloud?
• Social Networking – By Far
© 2012 Snell & Wilmer L.L.P 5
“Official” Government Definition
National Institute of Standards and Technology Responsible for developing standards and guidelines for providing information security for all federal gov’t agencies and assets. NIST Special Publication 800-145 (September 2011)
© 2012 Snell & Wilmer L.L.P 6
Why Are We Moving to the Cloud?
• It’s much cheaper to rent than to own. ◦ Outsourcing to the cloud reduces corporate data
storage costs by 80%, and requires a smaller IT staff
• It’s more flexible/scalable/elastic. ◦ Quickly expand and contract storage and computing
needs, based on demand. ◦ Faster access to improved technology.
• It’s more secure – in some respects.
◦ Remote, redundant data back-ups in case of disaster
© 2012 Snell & Wilmer L.L.P 7
How Does Cloud Computing Work?
• Major cloud providers: ◦ Amazon ◦ Google ◦ Microsoft ◦ Apple
• Major cloud providers have multiple, distant
data centers (i.e. server farms) where data is redundantly stored/processed.
© 2012 Snell & Wilmer L.L.P 8
Cloud Data Center Locations
• Amazon: ◦ North America (CA, OR) ◦ EU (Ireland) ◦ Asia (Singapore, Tokyo) ◦ South America (Brazil) ◦ Future: Buried in Siberian permafrost?
• Google: ◦ USA (SC, NC, GA, OK, IA, OR) ◦ Finland, Belgium ◦ Hong Kong, Singapore, Taiwan ◦ Future: Cargo ships powered & cooled by the sea?
© 2012 Snell & Wilmer L.L.P 9
How is Data Stored in the Cloud?
Per Google’s web site: • Data is not stored on a single machine or set of
machines; data from all Google customers is distributed amongst a shared infrastructure composed of many computers located across Google’s many data centers.
• Data is chunked and replicated over multiple systems so that no one system is a single point of failure. Data chunks are given random file names and they’re not stored in clear text, so they’re not humanly readable.
Source: http://www.google.com/about/datacenters/inside/data-security.html#
© 2012 Snell & Wilmer L.L.P 10
Cloud Computing Concerns
• Data Ownership & Access
• Data Location and Security
• Data Privacy
• What Law Governs?
• E-Discovery Obligations
If possible, your contract with the cloud provider should address these issues.
© 2012 Snell & Wilmer L.L.P 11
Data Ownership & Access
© 2012 Snell & Wilmer L.L.P 12
Cloud Data Ownership & Access
• Who owns the data once it has been uploaded? ◦ Short Answer: Should not be the cloud provider!
• Who owns the servers where the data is stored? ◦ Is it the party with whom you contracted? A third
party? How many links in the contract chain?
• How often will the data be accessible? ◦ Industry custom is 99.99% of the time.
• What happens if access is interrupted?
◦ Are fee credits provided?
© 2012 Snell & Wilmer L.L.P 13
Cloud Data Ownership & Access
• If you terminate the agreement with the cloud provider, what happens to your data? ◦ How long will your data remain on the cloud servers? ◦ Is it then deleted from the cloud provider’s servers?
- Important when dealing with customer data, credit card information, HIPAA data, etc.
• What if the cloud provider goes bankrupt or is shut down by a government? ◦ Example: MegaUpload seized by DOJ in January ’12
• E-discovery obligations?
© 2012 Snell & Wilmer L.L.P 14
Data Storage Location &
Security
© 2012 Snell & Wilmer L.L.P 15
Data Storage Location & Security
• In what countries are the cloud data centers located that will store your data? ◦ Evaluate the data privacy laws where the data
centers are located. ◦ Consider potential jurisdictional and choice of law
issues.
• Is the data required to be maintained within a certain country? ◦ E.g., Government records, national defense
materials.
© 2012 Snell & Wilmer L.L.P 16
Data Storage Location & Security
• What physical and digital security standards does the cloud provider adhere to? Will it tell you?
• How do they compare to the security procedures used by Amazon, Google and Microsoft?
• Do outside auditors certify the proper storage and use of data by the cloud provider?
© 2012 Snell & Wilmer L.L.P 17
Data Storage Location & Security
• Physical security measures: ◦ Non-descript facilities, restricted physical access,
video surveillance, biometric clearance; ◦ Fire detection and suppression, uninterrupted power
supply, climate and temperature control;
◦ Redundant data storage in different locations;
◦ A business continuity and disaster recovery plan to ensure service is maintained & to recover any data loss.
© 2012 Snell & Wilmer L.L.P 18
Data Storage Location & Security
• Digital security measures: ◦ Is your data securely stored when “at rest” and
securely moved between locations? ◦ Does the cloud provider have rights to access your
data? If so, why?
◦ Is your data stored in aggregate with other
customers? If so, how good is the disaggregation?
◦ How does the cloud provider decommission old storage devices that once held your data?
© 2012 Snell & Wilmer L.L.P 19
Data Storage Location & Security
• What if your data is corrupted, lost or stolen? ◦ Caveat emptor. Let the buyer beware. ◦ Terms of service typically disclaim all warranties and
exclude liability for any damages. • Example:
◦ “WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES….”
© 2012 Snell & Wilmer L.L.P 20
Choose your cloud provider wisely!
• If you have little or no leverage in negotiating terms with the cloud provider… ◦ Is the cloud provider reputable & reliable?
- How transparent is the cloud provider willing to be? - Quality vs. price – you probably get what you pay for. - Is the cost savings worth the risk of data loss/interruption?
◦ What contingency plan do you have if the service fails?
- Separate, independent digital back-up? - Hard copy back-up?
◦ What remedies, if any, do you have against the cloud provider if there is data loss or service failure?
© 2012 Snell & Wilmer L.L.P 21
Data Privacy
© 2012 Snell & Wilmer L.L.P 22
Data Privacy Issues
• Data in the cloud is subject to different protections than information stored in-house; ◦ Data in the cloud = held by a third-party
• Currently: there is a patchwork of Federal and
State data privacy laws;
• US and EU data privacy rules significantly differ; ◦ EU has more protections and regulations
• US and EU have recently proposed expanded
data privacy regulations.
© 2012 Snell & Wilmer L.L.P 23
Data Privacy Issues
• Existing laws can compel disclosure of cloud data to the government. ◦ Electronic Communications Privacy Act (ECPA)
◦ Stored Communications Act (SCA)
◦ USA Patriot Act
- National Security Letters - Foreign Intelligence Surveillance Act (FISA) Warrants
◦ Warrants and subpoenas generally
© 2012 Snell & Wilmer L.L.P 24
Data Privacy Issues
• Current rules imposing data security and/or breach notification obligations, including: ◦ Sarbanes-Oxley ◦ Family Educational Rights and Privacy Act (FERPA) ◦ Health Insurance Portability & Accountability Act
(HIPAA) ◦ Health Information Technology for Economic and
Clincal Health (HITECH) Act ◦ Gramm-Leach-Biley Act (GLBA) ◦ FTC Act, Section 5 (for companies that store
customer information on the cloud) ◦ State Laws and Regulations
© 2012 Snell & Wilmer L.L.P 25
Data Privacy: New Regulations?
• Significantly expanded data privacy regulation
schemes proposed in early 2012: ◦ White House: Consumer Privacy Bill of Rights
◦ EU: New General Data Protection Regulations
© 2012 Snell & Wilmer L.L.P 26
Data Privacy: New Regulations?
White House Proposal – Feb. 2012 On-line Consumer Privacy Bill of Rights Enforceable Codes of Conduct Expanded FTC Role Re Data Privacy Rights Enforcement Increased “Global Interoperability” re various consumer data privacy regs
© 2012 Snell & Wilmer L.L.P 27
Proposed “Consumer Privacy Bill of Rights”
• Intended goals are: ◦ Preserve online consumer trust in the internet
economy, ◦ While providing Internet companies with the
regulatory certainty needed to permit innovation in on-line commerce.
• Available on-line: ◦ http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
© 2012 Snell & Wilmer L.L.P 28
Proposed “Consumer Privacy Bill of Rights”
• Individual Control by consumers of the data collected by companies and how those companies use such data;
• Transparency regarding privacy and security practices;
• Respect for Context to ensure that companies use data consistently with the context in which the consumer provides the data;
• Security in handling personal data; © 2012 Snell & Wilmer L.L.P 29
Proposed “Consumer Privacy Bill of Rights”
• Access and Accuracy including the right of consumers to access and correct personal data;
• Focused Collection through reasonable limits on collection and retention by companies of personal data; and
• Accountability to ensure that companies handling data adhere to the Consumer Privacy Bill of Rights.
© 2012 Snell & Wilmer L.L.P 30
Proposed “Consumer Privacy Bill of Rights”
• The White House proposes voluntary adoption of a binding code of conduct incorporating the privacy principles in the bill of rights…thus making it enforceable under Section 5 of the FTC Act.
• Alternatively, the White House proposes that Congress pass a law incorporating the privacy bill of rights.
• Unlikely that Congress will pass legislation this year.
© 2012 Snell & Wilmer L.L.P 31
Proposed EU Data Protection Regulations
Proposed January 25, 2012 Significant expansion of current EU data privacy scheme Data privacy already a fundamental right, per the EU Constitution Potential implications beyond EU borders
© 2012 Snell & Wilmer L.L.P 32
Proposed EU Data Protection Regulations
• Would apply to almost all data collection and processing activities regarding EU “data subjects” ◦ Would cover controllers and processors located in
the EU ◦ Would also cover controllers and processers
located outside of the EU if they offer goods or services to data subjects in the EU or monitor their behavior
• Increased protections must be assured before consumer data may be moved outside the EU
© 2012 Snell & Wilmer L.L.P 33
Proposed EU Data Protection Regulations
• Provides increased consumer control of data ◦ With few exceptions, data subjects must give
“informed consent” (generally through an “opt-in” process) before their personal data may be processed;
• Internet users would have “The Right to be Forgotten” ◦ Data subject would be entitled to have personal data
erased, even if the data has been made public! • Available on-line:
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
© 2012 Snell & Wilmer L.L.P 34
Thank you
Patrick X. Fowler, Esq. Snell & Wilmer LLP Phoenix, Arizona
602.382.6213 | [email protected]
© 2012 Snell & Wilmer L.L.P 35